Target IP: 192.168.152.79
Come for the smiles, stay for the jokes.
There are two TCP ports open on the target machine: SSH and HTTP.
Port 80: HTTP
Running a curl request to this application does not reveal anything useful. From the source-code above, there is only image. Maybe this image contains hidden data?
The webpage above is displayed for this application.
Performing a directory search against this application shows there is a Joomla website.
Running a droopescan shows the interesting result of the web application.
It looks like the host is running Joomla 3.7.3-rc1 version application.
The Joomla webpage above is displayed for this application. There are possible interesting usernames on this page. I performed directory search against this application, but I did not find anything useful. I also tried to login using default credentials, but that did not work either. Time to perform bruteforcing.
I created a list of possible passwords from the main webpage.
The usernames I will use are shown above.
After using Burpsuite to perform bruteforcing, I got access with the credential joomla:Gotham. Now I am able to access the administrator panel with the login detail.
Since I have control over the Templates. I will modify the error.php file with PHP Pentest Monkey reverse shell for the protostar template.
I started a listener on port 8443, and visited http://192.168.152.79/joomla/templates/protostar/error.php to start the reverse shell connection. Now I have a foothold on the target machine.
I gained the credentials of the MySQL application.
Using the credentials, I was able to login to the MySQL. There are two interesting databases here: batjoke and joomla_db.
The table taskforce inside batjoke contains the records above. The user rob is interesting because this user exists on this target machine. All the passwords hash look to be in base64 format.
After decoding the base64 string, I obtained the password above for the user rob.
And now I have access as the user rob using the password from above.
There are interesting files here. The file Abnerineedyourhelp contains an encoded message that looks to be encrypted using Caesar Cipher. And there is also a bas64 string at the end.
Decrypting the encoded string outputs the message above. The message is directed to Abner and the string is the password for this user.
After trying to decode the string, I had no luck. After altering the string using rot13, I was finally able to decode the string and obtain the password I33hope99my0death000makes44more8cents00than0my0life0 above.
Now I have access as the user abner using the password.
I tried manual enumeration and I did not find anything. However, using the command find / -writable -type f 2>/dev/null, I found the interesting zip file above.
I started a Python http.server on the target machine. Then I downloaded this zip file to my local machine.
The zip file is password-protected. I tried using john to crack the password, but I had no luck. When spraying the credential of abner I obtained from previous enumeration, I got success!
I obtained the file above after extracting the zip file. The second line contains a string. I tried decoding it, but I had no luck. I also tried to decode using the same rot13 function, but I got nothing.
However, I notice I can use the password without having to decode it. I was able to login as the user penguin with the same string.
I ran pspy64 when I landed a foothold on the machine as www-data. Now I can modify the files above.
There is an interesting file called .trash_old which gets executed. I can put my reverse shell script here to gain a root shell.
I gained a root shell, after putting the reverse shell script inside .trash_old. I started a listener on port 8444, and changed the permission of the script to be executable. After some time, I gained a root shell.
The local.txt flag once I gained a foothold on the target machine.
The proof.txt flag once I gained a root shell.